Loading ...
Sorry, an error occurred while loading the content.

[OT] Thieves winning cybersecurity war - NY Times

Expand Messages
  • John Rethorst
    New York Times, December 6, 2008 http://www.nytimes.com/2008/12/06/technology/internet/06security.html? pagewanted=2&em Thieves Winning Online War, Maybe Even
    Message 1 of 2 , Dec 7 4:38 PM
    • 0 Attachment
      New York Times, December 6, 2008


      Thieves Winning Online War, Maybe Even in Your Computer


      SAN FRANCISCO — Internet security is broken, and nobody
      seems to know quite how to fix it.

      Despite the efforts of the computer security industry and a
      half-decade struggle by Microsoft to protect its Windows
      operating system, malicious software is spreading faster
      than ever. The so-called malware surreptitiously takes over
      a PC and then uses that computer to spread more malware to
      other machines exponentially. Computer scientists and
      security researchers acknowledge they cannot get ahead of
      the onslaught.

      As more business and social life has moved onto the Web,
      criminals thriving on an underground economy of credit card
      thefts, bank fraud and other scams rob computer users of an
      estimated $100 billion a year, according to a conservative
      estimate by the Organization for Security and Cooperation
      in Europe. A Russian company that sells fake antivirus
      software that actually takes over a computer pays its
      illicit distributors as much as $5 million a year.
      With vast resources from stolen credit card and other
      financial information, the cyberattackers are handily
      winning a technology arms race.

      "Right now the bad guys are improving more quickly than the
      good guys," said Patrick Lincoln, director of the computer
      science laboratory at SRI International, a science and
      technology research group.

      A well-financed computer underground has built an advantage
      by working in countries that have global Internet
      connections but authorities with little appetite for
      prosecuting offenders who are bringing in significant
      amounts of foreign currency. That was driven home in late
      October when RSA FraudAction Research Lab, a security
      consulting group based in Bedford, Mass., discovered a
      cache of half a million credit card numbers and bank
      account log-ins that had been stolen by a network of
      so-called zombie computers remotely controlled by an online

      In October, researchers at the Georgia Tech Information
      Security Center reported that the percentage of online
      computers worldwide infected by botnets — networks of
      programs connected via the Internet that send spam or
      disrupt Internet-based services — is likely to increase to
      15 percent by the end of this year, from 10 percent in
      2007. That suggests a staggering number of infected
      computers, as many as 10 million, being used to distribute
      spam and malware over the Internet each day, according to
      research compiled by PandaLabs.

      Security researchers concede that their efforts are largely
      an exercise in a game of whack-a-mole because botnets that
      distribute malware like worms, the programs that can move
      from computer to computer, are still relatively invisible
      to commercial antivirus software. A research report last
      month by Stuart Staniford, chief scientist of FireEye, a
      Silicon Valley computer security firm, indicated that in
      tests of 36 commercial antivirus products, fewer than half
      of the newest malicious software programs were identified.
      There have been some recent successes, but they are
      short-lived. On Nov. 11, the volume of spam, which
      transports the malware, dropped by half around the globe
      after an Internet service provider disconnected the McColo
      Corporation, an American firm with Russian ties, from the
      Internet. But the respite is not expected to last long as
      cybercriminals regain control of their spam-generating

      "Modern worms are stealthier and they are professionally
      written," said Bruce Schneier, chief security technology
      officer for British Telecom. "The criminals have gone
      upmarket, and they're organized and international because
      there is real money to be made."

      The gangs keep improving their malware, and now programs
      can be written to hunt for a specific type of information
      stored on a personal computer. For example, some malware
      uses the operating system to look for recent documents
      created by a user, on the assumption they will be more
      valuable. Some routinely watch for and then steal log-in
      and password information, specifically consumer financial

      The sophistication of the programs has in the last two
      years begun to give them almost lifelike capabilities. For
      example, malware programs now infect computers and then
      routinely use their own antivirus capabilities to not only
      disable antivirus software but also remove competing
      malware programs. Recently, Microsoft antimalware
      researchers disassembled an infecting program and were
      stunned to discover that it was programmed to turn on the
      Windows Update feature after it took over the user's
      computer. The infection was ensuring that it was protected
      from other criminal attackers.

      And there is more of it. Microsoft has monitored a 43
      percent jump in malware removed from Windows computers just
      in the last half year.

      The biggest problem may be that people cannot tell if their
      computers are infected because the malware often masks its
      presence from antivirus software. For now, Apple's
      Macintosh computers are more or less exempt from the
      attacks, but researchers expect Apple machines to become a
      larger target as their market share grows.
      The severity of the situation was driven home not long ago
      for Ed Amaroso, AT&T's chief security official. "I was at
      home with my mother's computer recently and I showed her it
      was attacking China," he said. " `Can you just make it run
      a little faster?' she asked, and I told her `Ma, we have to
      reimage your hard disk.' "

      Beyond the billions of dollars lost in theft of money and
      data is another, deeper impact. Many Internet executives
      fear that basic trust in what has become the foundation of
      21st century commerce is rapidly eroding. "There's an
      increasing trend to depend on the Internet for a wide range
      of applications, many of them having to deal with financial
      institutions," said Vinton G. Cerf, one of the original
      designers of the Internet, who is now Google's "chief
      Internet evangelist."

      "The more we depend on these types of systems, the more
      vulnerable we become," he said.

      The United States government has begun to recognize the
      extent of the problem. In January, President Bush signed
      National Security Presidential Directive 54, establishing a
      national cybersecurity initiative. The plan, which may cost
      more than $30 billion over seven years, is directed at
      securing the federal government's own computers as well as
      the systems that run the nation's critical infrastructure,
      like oil and gas networks and electric power and water

      That will do little, however, to help protect businesses
      and consumers who use the hundreds of millions of
      Internet-connected personal computers and cellphones, the
      criminals' newest target.

      Despite new technologies that are holding some attackers at
      bay, several computer security experts said they were
      worried that the economic downturn will make computer
      security the first casualty of corporate spending cuts.
      Security gets hit because it is hard to measure its
      effectiveness, said Eugene Spafford, a computer scientist
      at Purdue University.

      He is pessimistic. "In many respects, we are probably worse
      off than we were 20 years ago," he said, "because all of
      the money has been devoted to patching the current problem
      rather than investing in the redesign of our

      The cyber-criminals appear to be at least as technically
      advanced as the most sophisticated software companies. And
      they are faster and more flexible. As software companies
      have tightened the security of the basic operating systems
      like Windows and Macintosh, attackers have moved on to Web
      browsers and Internet-connected programs like Adobe Flash
      and Apple QuickTime.

      This has led to an era of so-called "drive-by infections,"
      where users are induced to click on Web links that are
      contained in e-mail messages. Cyber-criminals have raised
      the ability to fool unsuspecting computer users into
      clicking on intriguing messages to a high art.
      Researchers note that the global cycle of distributing
      security patches inevitably plays to the advantage of the
      attacker, who can continually hunt for and exploit new
      backdoors and weaknesses in systems. This year, computer
      security firms have begun shifting from traditional
      anti-virus program designs, which are regularly updated on
      subscribers' personal computers, to Web-based services,
      which can be updated even faster.

      Security researchers at SRI International are now
      collecting over 10,000 unique samples of malware daily from
      around the global. "To me it feels like job security," said
      Phillip Porras, an SRI program director and the computer
      security expert who led the design of the company's
      Bothunter program, available free at www.bothunter.net.
      "This is always an arm race, as long as it gets into your
      machine faster than the update to detect it, the bad guys
      win," said Mr. Schneier.
    • John Kaufmann
      ... John, thanks for posting that. It s of interest - should be of critical interest - even for other-than-Windows users, because we all need to be aware of
      Message 2 of 2 , Dec 7 10:13 PM
      • 0 Attachment
        In a message dated 2008.12.07 19:38 -0500, John Rethorst wrote:
        > New York Times, December 6, 2008
        > <http://www.nytimes.com/2008/12/06/technology/internet/06security.html>

        John, thanks for posting that. It's of interest - should be of critical
        interest - even for other-than-Windows users, because we all need to be
        aware of the vulnerability of this medium and the costs of getting things wrong.

        That in turn leads to thoughts of how we might reduce the exposure, and one
        is constantly struck by the degree to which attacks are, as the article
        says, borne by email and depend for their success on only a very small
        percentage of users doing the click-on-this-link thing. But in the cost
        calculus of attackers, that percentage of stupid users can be vanishingly
        small, because the cost of reaching them is even smaller - which make me
        shake my head in wonder why the Internet is not a fee-for-service structure,
        with some non-zero cost (say, a penny/1K/recipient) for the transmission of
        each email.

        Yes, that could take a toll on legitimate mail operations, like mailing
        lists such as this one. But there's no free lunch, and users might welcome
        the chance to pay for list memberships out of monthly connection fees,
        especially if it made the medium more secure. Thieves hack for profit; the
        key to reducing the threat is to reduce the profit motive. It's amazing
        that we still resist that proposition.

        John K.
      Your message has been successfully submitted and would be delivered to recipients shortly.